Re: Debian mirrors and MITM

[Michael Stone <mstone@debian.org>]

On Sat, May 31, 2014 at 12:11:28AM +1000, Alfie John wrote:
> On Sat, May 31, 2014, at 12:06 AM, micah anderson wrote:
> >         . keeps an adversary who may be listening on the wire from
> >           looking at what you are installing. who cares what you are
> >           installing? well it turns out that is very interesting
> >           information. If you can see that I've just installed X
> >           package, and you then just look over at our security tracker
> >           and find that this package has an exploit...
>
> It's only metadata, so who cares right? Only kidding. This is a totally
> legitimate scenario which I didn't think of. Nice.

So your solution to adding privacy is to make sure that every debian 
system checks in with debian directly rather than using a distributed 
infrastructure? I'd suggest looking at apt-transport-tor instead.

Mike Stone